[NTOSKRNL:FSRTL] Fix memory corruption when pruning tunnel cache

zefklop · zefklop · commit 0db79d4aa9d6 · 2020-12-04T16:08:14.000+01:00
diff --git a/ntoskrnl/fsrtl/tunnel.c b/ntoskrnl/fsrtl/tunnel.c
@@ -42,7 +42,7 @@ FsRtlFreeTunnelNode(
 {
     if (PoolList)
     {
-        /* divert the linked list entry, it's not required anymore, but we need it */ 
+        /* divert the linked list entry, it's not required anymore, but we need it */
         InsertHeadList(PoolList, &CurEntry->TimerQueueEntry);
         return;
     }
@@ -124,7 +124,8 @@ FsRtlPruneTunnelCache(
     /* If we have too many entries */
     while (Cache->NumEntries > TunnelMaxEntries)
     {
-        CurEntry = CONTAINING_RECORD(Entry, TUNNEL_NODE_ENTRY, TimerQueueEntry);
+        ASSERT(!IsListEmpty(&Cache->TimerQueue));
+        CurEntry = CONTAINING_RECORD(Cache->TimerQueue.Flink, TUNNEL_NODE_ENTRY, TimerQueueEntry);
         FsRtlRemoveNodeFromTunnel(Cache, CurEntry, PoolList, &Rebalance);
     }
 }
@@ -477,7 +478,7 @@ FsRtlAddToTunnelCache(IN PTUNNEL Cache,
                   RtlInsertAsRightChild(RtlParent(CurEntry), NodeEntry);
               }
          }
-         
+
          /* remove entry */
          RemoveEntryList(&((PTUNNEL_NODE_ENTRY)CurEntry)->TimerQueueEntry);
 

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ FsRtlFreeTunnelNode(`
`42`	`42`	`{`
`43`	`43`	`if (PoolList)`
`44`	`44`	`{`
`45`		`- /* divert the linked list entry, it's not required anymore, but we need it */`
	`45`	`+ /* divert the linked list entry, it's not required anymore, but we need it */`
`46`	`46`	`InsertHeadList(PoolList, &CurEntry->TimerQueueEntry);`
`47`	`47`	`return;`
`48`	`48`	`}`
`@@ -124,7 +124,8 @@ FsRtlPruneTunnelCache(`
`124`	`124`	`/* If we have too many entries */`
`125`	`125`	`while (Cache->NumEntries > TunnelMaxEntries)`
`126`	`126`	`{`
`127`		`- CurEntry = CONTAINING_RECORD(Entry, TUNNEL_NODE_ENTRY, TimerQueueEntry);`
	`127`	`+ ASSERT(!IsListEmpty(&Cache->TimerQueue));`
	`128`	`+ CurEntry = CONTAINING_RECORD(Cache->TimerQueue.Flink, TUNNEL_NODE_ENTRY, TimerQueueEntry);`
`128`	`129`	`FsRtlRemoveNodeFromTunnel(Cache, CurEntry, PoolList, &Rebalance);`
`129`	`130`	`}`
`130`	`131`	`}`
`@@ -477,7 +478,7 @@ FsRtlAddToTunnelCache(IN PTUNNEL Cache,`
`477`	`478`	`RtlInsertAsRightChild(RtlParent(CurEntry), NodeEntry);`
`478`	`479`	`}`
`479`	`480`	`}`
`480`		`-`
	`481`	`+`
`481`	`482`	`/* remove entry */`
`482`	`483`	`RemoveEntryList(&((PTUNNEL_NODE_ENTRY)CurEntry)->TimerQueueEntry);`
`483`	`484`